On Friday, the Federal Council approved the reform of the IT Security Act, which has been controversial for years. This means that the Federal Office for Information Security (BSI) can be upgraded to a powerful cyber authority with hacker powers. The Interior Committee had recommended that the mediation committee be convened with the Bundestag. He saw the federal states not being sufficiently involved in efforts to strengthen the security of IT systems. However, there was no majority in plenary for this.
Duty to inform about serious cybersecurity incidents
The state chamber was not required to approve. However, through a mediation process, she could have delayed the project and possibly brought it down before the upcoming federal elections. With the approval of the Bundesrat, the way is now clear for the majority of the law passed by the Bundestag two weeks ago to come into force on the day after its promulgation in the Federal Law Gazette with the signature of the Federal President.
In a Resolution, the countries clearly criticize itthat the federal government has not complied with their appeal for stronger cooperation across the whole of Germany. For example, they miss a duty to inform about serious cybersecurity incidents. The Federal Council therefore calls on the Federal Government to create a normative basis in order to immediately provide the bodies responsible under state law with relevant information. This is the only way for them to quickly take emergency measures.
Botnets, Internet of Things and malware
With the law, the BSI is supposed to become a key player in the fight against botnets, neglected devices in the Internet of Things and spreaders of malware, thanks to 799 new positions, which account for 74.24 million euros in personnel costs. It is authorized to use port scans to detect security gaps at the interfaces between IT systems and public telecommunications networks. Furthermore, it should be allowed to use systems and methods for the analysis of malware and attack methods such as honeypots and sinkholes.
In order to ward off significant concrete threats to IT security, the BSI can order a provider of telecommunications services with more than 100,000 customers to distribute “technical commands to clean up a specifically named malicious program” to the IT systems concerned. The authority should ensure technically and organizationally that unlawful interference with the basic computer right does not occur.
Inventory data information and “Huawei clause”
“Log data” including personal user information such as IP addresses, which arise during online communication between citizens and federal administrative institutions and parliamentarians, will be allowed to be stored and evaluated by the BSI for 12 to 18 months in the future. In addition, there are internal “logging data” from the authorities, i.e. records of the type of IT usage. To protect those affected and for notifications, the Office is authorized to obtain inventory data information from providers of telecommunications services. Overall, it should be able to better detect such widespread Trojans as Emotet as well as complex attacks, often originating from secret services.
Linked to the amendment is a “Huawei clause”, which sets the hurdle for the exclusion of individual suppliers from network expansion, for example for 5G, but quite high. The Federal Government should thus be able to prohibit the use of “critical components” in the event of “likely impairments of public safety and order”. For such components there is a certification requirement, manufacturers must submit a guarantee.
Minimum protection standards are extended to companies
The Federal Ministry of the Interior can impose a ban. To do this, however, it must “get in touch” with the departments concerned, such as the Federal Ministry of Economics and the Foreign Office. In the Telecommunications Act, which was reformed at the same time, the legislator has inserted a certification requirement for critical components in networks if there is an increased risk potential. The obligations for operators of critical infrastructures (Kritis) to report security margins and to comply with minimum protection standards are extended to companies that are of particular public interest.
The Federal Council’s Economic Committee had also regretted that the modalities of the legislative procedure with a sometimes one-day period for comment “made the required participation” “considerably more difficult”. Associations and other stakeholders from civil society have also repeatedly sharply criticized this violation of democratic practices.
A “good day for cybersecurity in Germany”
Federal Interior Minister Horst Seehofer (CSU) spoke of a “good day for cybersecurity in Germany” in view of the decision of the federal states. At a hearing, however, experts had hardly found a good word for the initiative. They complained, for example, that the BSI was allowed to leave security loopholes open and thus become the “stooge of the security authorities”.